Professional Documents
Culture Documents
The control activities involved in maintaining the integrity of the database is as under:
(a) Definition Controls: These controls are placed to ensure that the database always
corresponds and comply with its definition standards.
(b) Existence/Backup Controls: These ensure the existence of the database by
establishing backup and recovery procedures. Backup refers to making copies of the
data so that these additional copies may be used to restore the original data after a data
loss. Backup controls ensure the availability of system in the event of data loss due to
unauthorized access, equipment failure or physical disaster; the organization can retrieve
its files and databases. Various backup strategies are given as follows:
x Dual recording of data: Under this strategy, two complete copies of the database
are maintained. The databases are concurrently updated.
x Periodic dumping of data: This strategy involves taking a periodic dump of all or
part of the database onto some backup storage medium magnetic tape,
removable disk, Optical disk etc. The dump may be scheduled.
x Logging input transactions: This involves logging the input data transactions
which cause changes to the database. Normally, this works in conjunction with a
periodic dump.
x Logging changes to the data: This involves copying a record each time it is
changed by an update action.
(c) Access Controls: Access controls are designed to prevent unauthorized individual from
viewing, retrieving, computing or destroying the entity's data. Controls are established in
the following manner:
x User Access Controls through passwords, tokens and biometric Controls; and
x Data Encryption: Keeping the data in database in encrypted form.
(d) Update Controls: These controls restrict update of the database to authorized
users in two ways:
x By permitting only addition of data to the database; and
x Allowing users to change or delete existing data.
(e) Concurrency Controls: These controls provide solutions, agreed-upon schedules
and strategies to overcome the data integrity problems that may arise when two
update processes access the same data item at the same time.
(f) Quality Controls: These controls ensure the accuracy, completeness, and
consistency of data maintained in the database. This may include traditional
measures such as program validation of input data and batch controls over data in
transit through the organization.
3.7.5 Quality Assurance Management Controls
Quality Assurance management is concerned with ensuring that the
unauthorized purposes. Some of the major threats and to the security of information systems
and their controls are as discussed in the Table 3.7.2:
Table 3.7.2: Major Security threats and their control measures
Threat Controls
Fire Well-designed, reliable fire-protection systems must be implemented.
Water Facilities must be designed and sited to mitigate losses from water
damage
Energy Voltage regulators, circuit breakers, and uninterruptible power
Variations supplies can be used.
Structural Facilities like BCP, DRP, Insurance etc. must be adapted to withstand
Damage structural damages that may occur due to earthquake, snow, wind,
avalanche etc.
Pollution Regular cleaning of facilities and equipment should occur.
Unauthorized Physical access controls can be used.
Intrusion
Viruses and Controls to prevent use of virus-infected programs and to close
Worms security loopholes that allow worms to propagate.
Misuse of Code of conduct to govern the actions of information systems
software, data employees.
and services
Hackers Strong, logical access controls to mitigate losses from the activities of
hackers.
However, in spite of the controls on place, there could be a possibility that a control
might fail. When disaster strikes, it still must be possible to recover operations and
mitigate losses using the last resort controls - A Disaster Recovery Plan (DRP) and
Insurance.
x DRP: A comprehensive DRP comprise four parts an Emergency Plan, a Backup
Plan, a Recovery Plan and a Test Plan. The plan lays down the policies, guidelines,
and procedures for all Information System personnel. BCP (Business Continuity
Planning) Controls are related to having an operational and tested IT continuity plan,
which is in line with the overall business continuity plan, and its related business
requirements so as to make sure IT services are available as required and to ensure a
minimum impact on business in the event of a major disruption. The controls include
Critical Classification, alternative procedures, Back-up and Recovery, Systematic and
Regular Testing and Training, Monitoring and Escalation Processes, Internal and
External Organizational Responsibilities, Business Continuity Activation, Fallback and
Resumption plans, Risk Management Activities, Assessment of Single Points of Failure
and Problem Management.
2. Minor (scaled 2): If a risk will result in some damage, but the extent of damage is
not too significant.
3. Major (scaled 3): Risks with significantly large consequences which can lead to a
great amount of loss are classified as critical.
4. Catastrophic (scaled 4): These are the risks which can make the project completely
unproductive and unfruitful, and must be a top priority during risk management.
Likelihood of occurences
1 2 3 4
Consequences
Fig. 4.8.2: Business Impact Matrix (2)
Like-wise the grid can be extended depending upon the criteria one chooses.
Depending upon the grid value, the risk can be assessed.
x Like values 8 to 12 can be categorized into Catastrophic.
x Values 4 to 6 can be denoted as Major.
x Value 3 can be given as Minor.
x Values 1 and 2 can be denoted as Trivial.
In some books, the values can be classified into High, Medium, Low, and Very Low.
4.8.3 Risk Assessment
The risk assessment is assessment of the disruption to critical activities, which are supported
by resources such as people, process, technology, information, infrastructure supplies and
stakeholders. The enterprise should determine the threats and vulnerabilities of each
resource, and the impact that would have, in case it becomes a reality. It is the decision of the
enterprise to select a risk assessment approach, but it is important that it is suitable and
appropriate to address all of the enterprises requirements.
Specific threats may be described as events or actions, which could, at some point, cause an
impact to the resources, e.g. threats such as fire, flood, power failure, staf f loss, staff
absenteeism, computer viruses and hardware failure.
a recovery committee must understand their responsibilities. Again, the problem is that they
will be required to undertake unfamiliar tasks. Periodically, they must review and practice
executing their responsibilities so they are prepared should a disaster occur. If committee
members leave the organization, new members must be appointed immediately and briefed
about their responsibilities.
4.13.4 Test Plan
The final component of a disaster recovery plan is a test plan. The purpose of the test plan is
to identify deficiencies in the emergency, backup, or recovery plans or in the preparedness of
an organization and its personnel for facing a disaster. It must enable a range of disasters to
be simulated and specify the criteria by which the emergency, backup, and recovery plans can
be deemed satisfactory. Periodically, test plans must be invoked. Unfortunately, top managers
are often unwilling to carry out a test because daily operations are disrupted. They also fear a
real disaster could arise as a result of the test procedures.
To facilitate testing, a phased approach can be adopted. First, the disaster recovery plan can
be tested by desk checking and inspection and walkthroughs, much like the validation
procedures adopted for programs. Next, a disaster can be simulated at a convenient time -for
example, during a slow period in the day. Anyone, who will be affected by the test (e.g.
personnel and customers) also might be given prior notice of the test so they are prepared.
Finally, disasters could be simulated without warning at any time. These are the acid tests of
the organizations ability to recover from a catastrophe.
4.14 Types of Back-ups
When the back-ups are taken of the system and data together, they are called total systems
back-up. Various types of back-ups are given as follows:
(i) Full Backup: A Full Backup captures all files on the disk or within the folder selected for
backup. With a full backup system, every backup generation contains every file in the
backup set. At each backup run, all files designated in the backup job will be
backed up again. This includes files and folders that have not changed.
It is commonly used as an initial or first backup followed with subsequent
incremental or differential backups. After several incremental or differential
backups, it is common to start over with a fresh full backup again. Some also like
to do full backups for all backup runs typically for smaller folders or projects that
do not occupy too much storage space. The Windows operating system lets us to
copy a full backup on several DVD disks. Any good backup plan has at least one
full backup of a server.
For example - Suppose a full backup job or task is to be done every night from
Monday to Friday. The first backup on Monday will contain the entire list of files
and folders in the backup job. On Tuesday, the backup will include copying all the
files and folders again, no matter the files have got changed or not. The cycle
continues this way.
Advantages
o Restores are fast and easy to manage as the entire list of files and folders are
in one backup set.
o Easy to maintain and restore different versions.
Disadvantages
o Backups can take very long as each file is backed up again every time the full
backup is run.
o Consumes the most storage space compared to incremental and differential
backups. The exact same files are stored repeatedly resulting in inefficient
use of storage.
(ii) Incremental Backup: An Incremental Backup captures files that were created or
changed since the last backup, regardless of backup type. The last backup can be a
full backup or simply the last incremental backup. With incremental backups,
one full backup is done first and subsequent backup runs are just the changed
files and new files added since the last backup.
For example - Suppose an Incremental backup job or task is to be done every night
from Monday to Friday. This first backup on Monday will be a full backup since no
backups have been taken prior to this. However, on Tuesday, the incremental
backup will only backup the files that have changed since Monday and the backup
on Wednesday will include only the changes and new files since Tuesdays
backup. The cycle continues this way.
Advantages
o Much faster backups.
o Efficient use of storage space as files are not duplicated. Much less storage
space used compared to running full backups and even differential backups.
Disadvantages
o Restores are slower than with a full backup and differential backups.
o Restores are a little more complicated. All backup sets (first full backup and
all incremental backups) are needed to perform a restore.
(iii) Differential Backup: Differential backups fall in the middle between full backups
and incremental backup. A Differential Backup stores files that have changed since the
last full backup. With differential backups, one full backup is done first and
subsequent backup runs are the changes made since the last full backup.
Therefore, if a file is changed after the previous full backup, a differential backup takes
less time to complete than a full back up. Comparing with full backup, differential backup
is obviously faster and more economical in using the backup space, as only the files that
have changed since the last full backup are saved.
Restoring from a differential backup is a two-step operation: Restoring from the last full
backup; and then restoring the appropriate differential backup. The downside to using
differential backup is that each differential backup probably includes files that were
already included in earlier differential backups.
For example - Suppose a differential backup job or task is to be done every night
from Monday to Friday. On Monday, the first backup will be a full backup since no
prior backups have been taken. On Tuesday, the differential backup will only
backup the files that have changed since Monday and any new files added to the
backup folders. On Wednesday, the files changed and files added since Mondays
full backup will be copied again. While Wednesdays backup does not include the
files from the first full backup, it still contains the files backed up on Tuesday.
Advantages
o Much faster backups then full backups.
o More efficient use of storage space then full backups since only files changed
since the last full backup will be copied on each differential backup run.
o Faster restores than incremental backups.
Disadvantages
o Backups are slower then incremental backups.
o Not as efficient use of storage space as compared to incremental backups. All
files added or edited after the initial full backup will be duplicated again with
each subsequent differential backup.
o Restores are slower than with full backups.
o Restores are a little more complicated than full backups but simpler than
incremental backups. Only the full backup set and the last differential backup
are needed to perform a restore.
(iv) Mirror back-up: Mirror backups are, as the name suggests, a mirror of the source
being backed up. With mirror backups, when a file in the source is deleted, that file
is eventually also deleted in the mirror backup. Because of this, mirror backups
should be used with caution as a file that is deleted by accident, sabotage or
through a virus may also cause that same file in mirror to be deleted as well. Some
do not consider a mirror to be a backup.
Further, a mirror backup is identical to a full backup, with the exception that the files are
not compressed in zip files and they cannot be protected with a password. A mirror
backup is most frequently used to create an exact copy of the backup data.
For example - Many online backup services offer a mirror backup with a 30 day
delete. This means that when you delete a file on your source, that file is kept on
the storage server for at least 30 days before it is eventually deleted. This helps
strike a balance offering a level of safety while not allowing the backups to keep
growing since online storage can be relatively expensive. Many backup software
utilities do provide support for mirror backups.
Advantages
o The backup is clean and does not contain old and obsolete files.
Disadvantages
o There is a chance that files in the source deleted accidentally, by sabot age or
through a virus may also be deleted from the backup mirror.
4.15 Alternate Processing Facility Arrangements
Security administrators should consider the following backup options:
x Cold Site: If an organisation can tolerate some downtime, cold-site backup might be
appropriate. A cold site has all the facilities needed to install a mainframe system -raised
floors, air conditioning, power, communication lines, and so on. An organisation can
establish its own cold-site facility or enter into an agreement with another organisation to
provide a cold-site facility.
x Hot Site: If fast recovery is critical, an organisation might need hot site backup. All
hardware and operations facilities will be available at the hot site. In some cases,
software, data and supplies might also be stored there. A hot site is expensive to
maintain. They are usually shared with other organisations that have hot -site needs.
x Warm Site: A warm site provides an intermediate level of backup. It has all cold -site
facilities in addition to the hardware that might be difficult to obtain or install. For
example, a warm site might contain selected peripheral equipment plus a small
mainframe with sufficient power to handle critical applications in the short run.
x Reciprocal Agreement: Two or more organisations might agree to provide backup
facilities to each other in the event of one suffering a disaster. This backup option is
relatively cheap, but each participant must maintain sufficient capacity to operate
anothers critical system.
If a third-party site is to be used for backup and recovery purposes, security administrators
must ensure that a contract is written to cover issues such as
x how soon the site will be made available subsequent to a disaster;
x the number of organizations that will be allowed to use the site concurrently in the event
of a disaster;
x the priority to be given to concurrent users of the site in the event of a common disaster ;
x the period during which the site can be used;
x the conditions under which the site can be used;
x the facilities and services the site provider agrees to make available; and
x what controls will be in place and working at the off-site facility.
generators
x Humidity, temperature,
and voltage control are
maintained and
acceptable levels
x Emergency lighting,
power outages and
evacuation routes are
appropriately located.
Staff have been x Operational and x Interview security
trained to react to support personnel are personnel to ensure their
emergencies trained and understand awareness and
emergency responsibilities.
procedures. x Review training records
x Emergency procedures and documentation.
are documented and Determine the scope and
periodically tested- adequacy of training.
incident plan, x Review test policies,
inspection plan and documentation and know-
maintenance plan. how of operational staff.
x Review
CH 6: AUDITING OF IS incident handling
procedures and
maintenance and
inspection plan.
Programming Discusses the major phases in the program life cycle and the
Management Controls important controls that should be exercised in each phase.
Data Resource Discusses the role of database administrator and the
Management Controls controls that should be exercises in each phase.
Quality Assurance Discusses the major functions that quality assurance
Management Controls management should perform to ensure that the
development, implementation, operation, and maintenance
of information systems conform to quality standards.
Security Management Discusses the major functions performed by operations by
Controls security administrators to identify major threats to the IS
functions and to design, implement, operate, and maintain
controls that reduce expected losses from these threats to
an acceptable level.
Operations Discusses the major functions performed by operations
Management Controls management to ensure the day-to-day operations of the IS
function are well controlled.
The auditors play a vital role in evaluating the performance of various controls under
managerial controls. Some of the key areas that auditors should pay attention to while
evaluating Managerial controls and its types are provided below:
6.7.1 Top Management and Information Systems Management Controls
The major activities that senior management must perform are Planning, Organizing,
Controlling and Leading (already explained in Chapter 3 of the Study Material). The
Role of auditor at each activity is discussed below:
x Planning: Auditors need to evaluate whether top management has formulated a
high-quality information systems plan that is appropriate to the needs of an
organization or not. A poor-quality information system is ineffective and inefficient
leading to losing of its competitive position within the marketplace.
x Organizing: Auditors should be concerned about how well top management
acquires and manages staff resources for three reasons:
o The effectiveness of the IS function depends primarily on the quality of its
staff. The IS staff need to remain up to date and motivated in their jobs.
o Intense competition and high turnover have made acquiring and retaining
good information system staff a complex activity.
o Empirical research indicates that the employees of an organization are the
most likely persons to perpetrate irregularities.
x Leading: Generally, the auditors examine variables that often indicate when
motivation problems exist or suggest poor leadership. For example - staff turnover
statistics, frequent failure of projects to meet their budget and absenteeism level to
evaluate the leading function. Auditors may use both formal and informal sources
of evidence to evaluate how well top mangers communicate with their staff. The
formal sources include IS plans, documents standards and policies whereas the
informal sources of evidence include interviews with IS staff about their level of
satisfaction with the top management. Auditors must try to assess both the short-
run and long-run consequences of poor communications within the information
systems function and to assess the implications for asset safeguarding, data
integrity, system effectiveness, and system efficiency.
x Controlling: Auditors should focus on subset of the control activities that should
be performed by top management namely, those aimed at ensuring that the
information systems function accomplishes its objectives at a global level.
Auditors must evaluate whether top managements choice to the means of control
over the users of IS services is likely to be effective or not.
6.7.2 System Development Management Controls
Three different types of audits may be conducted during system development process as
discussed in the Table 6.7.2:
Table 6.7.2: Different types of Audit during System Development Process
Concurrent Auditors are members of the system development team. They assist
Audit the team in improving the quality of systems development for the
specific system they are building and implementing.
Post - Auditors seek to help an organization learn from its experiences in the
implementation development of a specific application system. In addition, they might
Audit be evaluating whether the system needs to be scrapped, continued, or
modified in some way.
General Audit Auditors evaluate systems development controls overall. They seek to
determine whether they can reduce the extent of substantive testing
needed to form an audit opinion about managements assertions
relating to the financial statements for systems effectiveness and
efficiency.
An external auditor is more likely to undertake general audits rather than concurrent or
post-implementation audits of the systems development process. For internal auditors,
management might require that they participate in the development of material
application systems or undertake post-implementation reviews of material application
systems as a matter of course.
6.7.3 Programming Management Controls
Some of the major concerns that an auditor should address under different activities
involved in Programming Management Control Phase are provided in Table 6.7.3 as
under:
Grid Node
Control Server
Task
Cloud
Source: www.synergy.gs
(a) Private Cloud: This cloud computing environment resides within the boundaries of an
organization and is used exclusively for the organizations benefits. These are also called
Internal Clouds or Corporate Clouds. Private Clouds can either be private to the
organization and managed by the single organization (On-Premise Private Cloud)
or can be managed by third party (Outsourced Private Cloud). They are built
primarily by IT departments within enterprises, who seek to optimize utilization of
infrastructure resources within the enterprise by provisioning the infrastructure with
applications using the concepts of grid and virtualization.
Certain characteristics of Private Cloud are as follows:
Secure: The private cloud is secure as it is deployed and managed by the
organization itself, and hence there is least chance of data being leaked out of
the cloud.
Central Control: As usual, the private cloud is managed by the organization
itself, there is no need for the organization to rely on anybody and its
controlled by the organization itself.
Weak Service Level Agreements (SLAs): SLAs play a very important role in
any cloud service deployment model as they are defined as agreements
between the user and the service provider in private cloud. In private cloud,
either Formal SLAs do not exist or are weak as it is between the organization
and user of the same organization. Thus, high availability and good service
may or may not be available.
Private Organization
Cloud
Cloud
Location The data is usually stored in The cloud is located off site and
the same geographical when there is a change of
location where the cloud location the data need to be
users are present. In case transmitted through long
of several physical distances.
locations, the cloud is
distributed over several
places and is accessed
using the Internet.
Performance The performance depends The performance of the cloud
on the network and depends on the third party that
resources and can be is outsourcing the cloud.
controlled by the network
management team.
(b) Public Cloud: The public cloud is the cloud infrastructure that is provisioned for open
use by the general public. It may be owned, managed, and operated by a business,
academic, or government organizations, or some combination of them. Typically, public
clouds are administrated by third parties or vendors over the Internet, and the services
are offered on pay-per-use basis. These are also called Provider Clouds. Public cloud
consists of users from all over the world wherein a user can simply purchase
resources on an hourly basis and work with the resources which are available in
the cloud providers premises.
Characteristics of Public Cloud are as follows:
Highly Scalable: The resources in the public cloud are large in number and the
service providers make sure that all requests are granted. Hence public
clouds are considered to be scalable.
Affordable: The cloud is offered to the public on a pay-as-you-go basis; hence
the user has to pay only for what he or she is using (using on a per-hour
basis). And this does not involve any cost related to the deployment.
Less Secure: Since it is offered by a third party and they have full control over
the cloud, the public cloud is less secure out of all the other deployment
models.
Highly Available: It is highly available because anybody from any part of the
world can access the public cloud with proper permission, and this is not
possible in other models as geographical or other access restrictions might
be there.
Stringent SLAs: As the service providers business reputation and customer
strength are totally dependent on the cloud services, they follow the SLAs
strictly and violations are avoided.
Partially Secure: The private cloud is considered as secured and public cloud
has high risk of security breach. The hybrid cloud thus cannot be fully termed
as secure but as partially secure.
Stringent SLAs: Overall the SLAs are more stringent than the private cloud
and might be as per the public cloud service providers.
Complex Cloud Management: Cloud management is complex as it involves
more than one type of deployment models and also the number of users is
high.
The Advantages of Hybrid Cloud include the following:
It is highly scalable and gives the power of both private and public clouds.
It provides better security than the public cloud.
The limitation of Hybrid Cloud is that the security features are not as good as the
public cloud and complex to manage.
(d) Community Cloud: The community cloud is the cloud infrastructure that is
provisioned for exclusive use by a specific community of consumers from
organizations that have shared concerns (eg. mission security requirements,
policy, and compliance considerations). It may be owned, managed, and operated
by one or more of the organizations in the community, a third party or some
combination of them, and it may exist on or off premises. In this, a private cloud is
shared between several organizations. Fig. 8.3.6 depicts Community Cloud. This
model is suitable for organizations that cannot afford a private cloud and cannot
rely on the public cloud either.
Cloud
Software as Service
Platform as Service
Infrastructure as
Service
Compute Network
IaaS
Storage Load Balancers
demand. It is an ability given to the end users to access the database service
without the need to install and maintain it on the pay-per-use basis. The end users
can access the database services through any Application Programming Interfaces
(APIs) or Web User Interfaces provided by the service provider.
- Backend as a Service (BaaS): It is a type of IaaS, that provides web and mobile app
developers a way to connect their applications to backend cloud storage with
added services such as user management, push notifications, social network
services integration using custom software development kits and application
programming interfaces.
- Desktop as a Service (DTaaS): It is an instance of IaaS that provides ability to the
end users to use desktop virtualization without buying and managing their own
infrastructure. DTaaS is a pay-per-use cloud service delivery model in which the
service provider manages the back-end responsibilities of data storage, backup,
security and upgrades. The end-users are responsible for securing and managing
their own desktop images, applications, and security. These services are simple to
deploy, are highly secure, and produce better experience on almost all devices.
(b) Platform as a Service (PaaS): PaaS provides the users the ability to develop and
deploy an application on the development platform provided by the service
provider. In traditional application development, the application will be developed
locally and will be hosted in the central location. In stand-alone application
development, the application will be developed by traditional development
platforms result in licensing - based software, whereas PaaS changes the
application development from local machine to online. For example- Google
AppEngine, Windows Azure Compute etc.
Typical PaaS providers may provide programming languages, application
frameworks, databases, and testing tools apart from some build tools, deployment
tools and software load balancers as a service in some cases (Refer Fig. 8.3.9).
- Programming Languages: PaaS providers provide a wide variety of
programming languages like Java, PHP, Python, Ruby etc. for the developers
to develop applications.
- Application Frameworks: PaaS vendors provide application development
framework like Joomla, WordPress, Sinatra etc. for application development.
- Database: Along with PaaS platforms, PaaS providers provide some of the
popular databases like ClearDB, Cloudant, Redis etc. so that application can
communicate with the databases.
- Other Tools: PaaS providers provide all the tools that are required to develop,
test, and deploy an application.
Prgramming Application
Languages Frameworks
PaaS
Databases Other Tools
document in Google docs online, s/he can edit a photo online on pixlr.com so s/he need
not install the photo editing software on his/her system- thus Google is provisioning
software as a service.
Business
Services Social Networks
SaaS
Document Mail Services
Management
Fig. 8.3.10: Services offered by SaaS providers
The services provided by SaaS as depicted in Fig. 8.3.10 are as follows:
(a) Business Services: SaaS providers provide a variety of business services to
startup companies that includes ERP, CRM, billing, sales, and human
resources.
(b) Social Networks: Since the number of users of the social networking sites is
increasing exponentially, loud computing is the perfect match for handling the
variable load.
(c) Document Management: Most of the SaaS providers provide services to
create, manage, and track electronic documents as most of the enterprises
extensively use electronic documents.
(d) Mail Services: To handle the unpredictable number of users and the load on e-
mail services, most of the email providers offer their services as SaaS
services.
Characteristics of SaaS are as follows:
One to Many: SaaS services are delivered as one-to-many models where a
single instance of the application can be shared by multiple customers.
Web Access: SaaS services allow the end users to access the application
from any location of the device is connected to the Internet.
Centralized Management: Since SaaS services are hosted and managed from
the central location, the SaaS providers perform the automatic updates to
ensure that each customer is accessing the most recent version of the
application without any user-side updates.
Multi-device Support: SaaS services can be accessed from any end user
devices such as desktops, laptops, tablets, smartphones, and thin clients.
Better Scalability: Most of the SaaS services leverage PaaS and IaaS for its
development and deployment and ensure a better scalability than traditional
software.
uses different methods for transferring and synchronizing data, some involving the use
of Radio Frequency (RF) technology.
8.4.3 Mobile Computing Services
The ability to share information across a wireless platform is becoming more vital to the
todays business communication needs. Various companies design and develop several
wireless applications and solutions for Blackberry, iPhone, Google Android G1, iPad, Windows
Mobile, Symbian, Brew devices, PDA, Palm & Pocket PC. Mobile Computing Services allow
mobile workforces to access a full range of corporate services and information from anywhere,
at any time and it improves the productivity of a mobile workforce by connecting them to
corporate information systems and by automating paper-based processes.
8.4.4 Benefits of Mobile Computing
In general, Mobile Computing is a versatile and strategic technology that increases information
quality and accessibility, enhances operational efficiency, and improves management
effectiveness. But, more specifically, it leads to a range of tangible benefits, including the
following:
It provides mobile workforce with remote access to work order details, such as work
order location, contact information, required completion date, asset history relevant
warranties/service contracts.
It enables mobile sales personnel to update work order status in real-time, facilitating
excellent communication.
It facilitates access to corporate services and information at any time, from anywhere.
It provides remote access to the corporate Knowledgebase at the job location.
It enables to improve management effectiveness by enhancing information quality,
information flow, and ability to control a mobile workforce.
8.4.5 Limitations of Mobile Computing
Insufficient Bandwidth: Mobile Internet access is generally slower than direct cable
connections using technologies such as General Packet Radio Service (GPRS) and
Enhanced Data for GSM (Global System for Mobile Communication) Evolution
(EDGE), and more recently 3G networks. These networks are usually available
within range of commercial cell phone towers. Higher speed wireless LANs are
inexpensive but have very limited range.
Security Standards: When working mobile, one is dependent on public networks,
requiring careful use of Virtual Private Network (VPN). Security is a major concern
while concerning the mobile computing standards. One can easily attack the VPN
through a huge number of networks interconnected through the line.
Power consumption: When a power outlet or portable generator is not available,
mobile computers must rely entirely on battery power. Combined with the compact
size of many mobile devices, this often means unusually expensive batteries must
be used to obtain the necessary battery life. Mobile computing should also look
into Greener IT in such a way that it saves the power or increases the battery life.
Transmission interferences: Weather, terrain, and the range from the nearest
signal point can all interfere with signal reception. Reception in tunnels, some
buildings, and rural areas is often poor.
Potential health hazards: People who use mobile devices while driving are often
distracted from driving are thus assumed to be more likely involved in traffic
accidents. Cell phones may interfere with sensitive medical devices. There are
allegations that cell phone signals may cause health problems.
Human interface with device: Screens and keyboards tend to be small, which may
make them hard to use. Alternate input methods such as speech or handwriting
recognition require training.
8.4.6 Issues in Mobile Computing
Security Issues: Wireless networks have relatively more security requirements
than wired network. A number of approaches have been suggested and also the
use of encryption has been proposed.
o Confidentiality: Preventing unauthorized users from gaining access to critical
information of any particular user.
o Integrity: Ensures unauthorized modification, destruction or creation of
information cannot take place.
o Availability: Ensuring authorized users getting the access they require.
o Legitimate: Ensuring that only authorized users have access to services.
o Accountability: Ensuring that the users are held responsible for their security
related activities by arranging the user and his/her activities are linked if and
when necessary.
Bandwidth: Bandwidth utilization can be improved by logging (bulk operations
against short requests) and compression of data before transmission. The
technique of caching frequently accessed data items can play an important role in
reducing contention in narrow bandwidth wireless networks. The cached data can
help improve query response time. Since mobile clients often disconnect to
conserve battery power the cached data can support disconnected operations.
Location Intelligence: As the mobile computers move, they encounter networks
with different features. A mobile computer must be able to switch from infrared
mode to radio mode as it moves from indoors to outdoors. Additionally it should
be capable of switching from cellular mode of operation to satellite mode as the
computer moves from urban and rural areas. In mobile computing; as computers
are working in cells and are being serviced by different network providers, the
physical distance may not reflect the true network distance. A small movement
may result in a much longer path if cell or network boundaries are crossed. It will
and associated subsystems - such as monitors, printers, storage devices, and networking and
communications systems - efficiently and effectively with minimal or no impact on the
environment.
The objective of Green computing is to reduce the use of hazardous materials, maximize
energy efficiency during the products lifetime, and promote the recyclability or
biodegradability of defunct products and factory waste. Such practices include the
implementation of energy-efficient Central Processing Units (CPUs), servers and peripherals as
well as reduced resource consumption and proper disposal of electronic waste (e-waste).
8.5.1 Relevant Facts
All businesses are increasingly dependent on technology, and small business is no exception.
We work on our PCs, notebooks and smart phones all day, connected to servers running
24x7. Since the technology refresh cycle is fast, these devices quickly become obsolete, and
at some point - more often sooner than later - we dispose of old devices and replace them with
new ones. We use massive quantities of paper and ink to print documents, many of which we
promptly send to the circular file.
In the process, most businesses waste resources, in the form of energy, paper, money and
time - resources we could invest to develop new products or services, or to hire and train
employees. Even if we arent a tree hugger, it makes good business sense to green our IT
environment and culture. Fortunately, there are many simple steps one can take to do this, no
matter what the size of the business, or how far someone is in the process. Many IT vendors
have major initiatives underway to green their products, services and practices. These include
building computers with more environmentally friendly materials, designing them to be
consume less energy, providing recycling programs to dispose of old systems, developing
virtualization and cloud computing alternatives, and providing tips to businesses that want to
go green.
8.5.2 Green Computing Best Practices
Government regulation, however well-intentioned, is only part of an overall green computing
philosophy. The work habits of computer users and businesses can be modified to minimize
adverse impact on the global environment. Some of such steps for Green IT include the
following:
Develop a sustainable Green Computing plan
Involve stakeholders to include checklists, recycling policies, recommendations
for disposal of used equipment, government guidelines and recommendations for
purchasing green computer equipment in organizational policies and plans;
Encourage the IT community for using the best practices and encourage them to
consider green computing practices and guidelines.
On-going communication about and campus commitment to green IT best practices to
produce notable results.
Develop a thin-client strategy wherein thin clients are smaller, cheaper, simpler for
manufacturers to build than traditional PCs or notebooks and most importantly use
about half the power of a traditional desktop PC;
Use notebook computers rather than desktop computers whenever possible;
Use the power-management features to turn off hard drives and displays after several
minutes of inactivity;
Power-down the CPU and all peripherals during extended periods of inactivity;
Try to do computer-related tasks during contiguous, intensive blocks of time, leaving
hardware off at other times;
Power-up and power-down energy-intensive peripherals such as laser printers according
to need;
Employ alternative energy sources for computing workstations, servers, networks and
data centers; and
Adapt more of Web conferencing offers instead of travelling to meetings in order to
go green and save energy.
8.5.3 Green IT Security Services and Challenges
IT solution providers are offering green security services in many ways. What to look in green
security products, the challenges in the security services market and how security services
fare in a recession. If administered properly with other green computing technologies, green
security can be a cost-efficient and lucrative green IT service for solution providers. The basic
aim is to increase the customer's energy savings through green security services and assess
that how sustainable computing technology can immediately help the environment. Green IT
services present many benefits for clients as well as providers, but knowing how to evaluate a
client's infrastructure to accommodate green technology is really a vital issue.
Moreover, apart from the common security issues, the green security emphasizes the role of
security tools, methods and practices that reduce a company's environmental impact. But to
estimate the scope, to cope with the lack of green security services in the market and get
advice on conserving power and purchasing switches is very important and needs a high level
of sensitivity. Learning about the challenges of implementing green security and the best
practices is a major hope, as the artifacts are still evolving.
8.6 Bring Your Own Device (BYOD)
BYOD (Bring Your Own Device) refers to business policy that allows employees to use their
preferred computing devices, like smart phones and laptops for business purposes. It means
employees are welcome to use personal devices (laptops, smart phones, tablets etc.) to
connect to the corporate network to access information and application. The BYOD policy has
rendered the workspaces flexible, empowering employees to be mobile and giving them the
right to work beyond their required hours. The continuous influx of readily improving
technological devices has led to the mass adoption of smart phones, tablets and laptops,
challenging the long-standing policy of working on company-owned devices. Though it has led
to an increase in employees satisfaction but also reduced IT desktop costs for organizations
as employees are willing to buy, maintain and update devices in return for a one-time
investment cost to be paid by the organization.
In the early 1990s, executing different tasks necessitated the use of different devices. For
instance, an mp3 player was needed to listen to music; whereas chores, tasks and schedules
were tracked by a PDA. An addition to this, list was a bulky laptop and a camera and it
seemed waiting till eternity that we would ever have a single device to suit our different needs.
However, remarkable advances in technology in the last decade have made it possible to
perform all the above mentioned tasks using a single hi-tech device. Different technologies
can work in synergy with each other, which improves user productivity and convenience.
8.6.1 Advantages of BYOD
Happy Employees: Employees love to use their own devices when at work. This
also reduces the number of devices an employee has to carry; otherwise he would
be carrying his personal as well as organization provided devices.
Lower IT budgets: The employees could involve financial savings to the
organization since employees would be using the devices they already possess,
thus reducing the outlay of the organization in providing devices to them.
IT reduces support requirement: IT department does not have to provide end user
support and maintenance for all these devices resulting in cost savings.
Early adoption of new Technologies: Employees are generally proactive in
adoption of new technologies that result in enhanced productivity of employees
leading to overall growth of business.
Increased employee efficiency: The efficiency of employees is more when the
employee works on his/her own device. In an organization provided devices,
employees have to learn and there is a learning curve involved in it.
8.6.2 Emerging BYOD Threats
Every business decision is accompanied with a set of threats and so is BYOD program too; it
is not immune from them. As outlined in the Gartner survey, a BYOD program that allows
access to corporate network, emails, client data etc. is one of the top security concerns for
enterprises. Overall, these risks can be classified into four areas as outlined below:
Network Risks: It is normally exemplified and hidden in Lack of Device Visibility. When
company-owned devices are used by all employees within an organization, the
organizations IT practice has complete visibility of the devices connected to the network.
This helps to analyze traffic and data exchanged over the Internet. As BYOD permits
employees to carry their own devices (smart phones, laptops for business use), the IT
practice team is unaware about the number of devices being connected to the network.
As network visibility is of high importance, this lack of visibility can be hazardous. For
example, if a virus hits the network and all the devices connected to the network need be
scanned, it is probable that some of the devices would miss out on this routine scan
operation. In addition to this, the network security lines become blurred when BYOD is
implemented.
Device Risks: It is normally exemplified and hidden in Loss of Devices. A lost or stolen
device can result in an enormous financial and reputational embarrassment to an
organization as the device may hold sensitive corporate information. Data lost from
stolen or lost devices ranks as the top security threats as per the rankings released by
Cloud Security Alliance. With easy access to company emails as well as corporate
intranet, company trade secrets can be easily retrieved from a misplaced device.
Application Risks: It is normally exemplified and hidden in Application Viruses and
Malware. A related report revealed that a majority of employees phones and smart
devices that were connected to the corporate network werent protected by security
software. With an increase in mobile usage, mobile vulnerabilities have increased
concurrently. Organizations are not clear in deciding that who is responsible for device
security the organization or the user.
Implementation Risks: It is normally exemplified and hidden in Weak BYOD Policy.
The effective implementation of the BYOD program should not only cover the technical
issues mentioned above but also mandate the development of a robust implementation
policy. Because corporate knowledge and data are key assets of an organization, the
absence of a strong BYOD policy would fail to communicate employee expectations,
thereby increasing the chances of device misuse. In addition to this, a weak policy fails to
educate the user, thereby increasing vulnerability to the above mentioned threats.
8.6.3 Mobile Computing and BYOD
Mobile computing, including BYOD is the single most radical shift in business since the PC
revolution of the 1980s. Over the next decade, it will have a huge impact on how people work
and live, how companies operate, and on the IT infrastructure. These services will focus on
the issues and opportunities surrounding the new way to communicate and consume
computing services. Mobile computing is not just PCs on the move. Mobile devices such as
smart phones, tablets, and the iPod Touch, the last PDA standing are a radically different kind
of devices, designed from the ground up as end points of data networks both internal
corporate networks and the Internet rather than primarily as stand-alone devices. They are
optimized for mobility, which means that they have to be light, easy to handle, and maximize
battery life. Where laptops has a three hour battery life, the tablet and smartphone regularly
run 12 hours or more between charging and serve as windows into the Cloud.
8.7 Social Media, Web 2.0 and Web 3.0
Related aspects of Social Media, Web 2.0 and Web 3.0 are as given:
8.7.1 Social Media
While considering a network, we imagine a set of entities connected with each other on a
logical or a physical basis. Physical networks like computer networks are those that can be
planned, implemented and managed very optimally and efficiently. However, when we move
from physical to logical networks, the visualization becomes much more difficult. Social
created such as Blogging, Social Networking, Communities, Mash-ups, and Tagging. The
power of Web 2.0 is the creation of new relationships between collaborators and information.
The components of Web 2.0 help to create and sustain social. Blogging is the art of social
conversation and have replaced personal home pages and this helps for a more consolidated
flow of thoughts and ideas. Wikis have enabled collaborative contribution and authoring
among distributed teams. Tagging or folksonomy is a collaborative means of identifying
information widgets to increase the power of any web site and searching required information
in a faster way. Combined with other such concepts, Web 2.0 provides an ideal platform for
implementing and helping Social Networks to grow.
8.7.3 Components of Web 2.0 for Social Networks
In today's environment, computer literacy is at its peak and tools that are aided through the
computerization age are most effective in keeping alive a concept as complicated as Social
Networks. The beauty of Web 2.0 fitment to Social Networks is that all the components of Web
2.0 are built for the growth and sustenance of Social Networks. Major components that have
been considered in Web 2.0 include the following:
Communities: These are an online space formed by a group of individuals to share their
thoughts, ideas and have a variety of tools to promote Social Networking. There are a
number of tools available online, now-a-days to create communities, which are very cost
efficient as well as easy to use.
RSS-generated Syndication: RSS is a format for syndicating web content that
allows feed the freshly published web content to the users through the RSS reader.
Blogging: A blog is a journal, diary, or a personal website that is maintained on the
internet, and it is updated frequently by the user. Blogging allows a user to make a
post to a web log or a blog. Blogs give the users of a Social Network the freedom to
express their thoughts in a free form basis and help in generation and discussion of
topics.
Wiki: A Wiki is a set of co-related pages on a particular subject and allow users to share
content. Wikis replace the complex document management systems and are very easy to
create and maintain.
Usage of Ajax and other new technologies: Ajax is a way of developing web
applications that combines XHTML and CSS (Cascading Style Sheets) standards-
based presentation that allows the interaction with the web page and data
interchange with XML (eXtensible Markup Language) and XSLT (eXtensible
Stylesheet Language Transformations).
Folksonomy: This allows the free classification of information available on the
web, which helps the users to classify and find information, using approaches
such as tagging. Also known as Social Bookmarking, the bookmarks in a folder are
not stored on the users computer rather tagged pages are stored on the web
increasing the accessibility from any computer connected to the Internet.
File Sharing/Podcasting: This is the facility, which helps users to send their media files
and related content online for other people of the network to see and contribute.
Mash-ups: This is the facility, by using which people on the internet can congregate
services from multiple vendors to create a completely new service. An example may be
combining the location information from a mobile service provider and the map facility of
Google maps in order to find the exact information of a cell phone device from the
internet, just by entering the cell number.
As we see from the above components of Web 2.0, each of them contribute to help the
implementation and continued existence of social Networks on a meaningful basis. While wikis
and communities help to create an online space for the networks, Blogging, Folksonomy and
file sharing help to information flow across the virtual world of the social networking community
(as shown in Fig. 8.7.1).
Communities Wikis
Podcasting Mash-ups
There are numerous reports detailing how doctors are connecting using Web 2.0 for
increasing their knowledgebase.
Social networks built on Web 2.0 concepts has become so cost affordable and easy to use
that more and more people are migrating to this wave. This has also helped NGO's and other
social service organizations to create meaningful social networks to reach out to people in a
much more structured manner and in turn benefit the needy and deprived sector of the
society. Web 2.0 finds applications in different fields, some of which are as follows:
Social Media: Social Media/Social Network is an important application of web 2.0
as it provides a fundamental shift in the way people communicate and share
information. The social web offers a number of online tools and platforms that
could be used by the users to share their data, perspectives, and opinions among
other user communities.
Marketing: Web 2.0 offers excellent opportunities for marketing by engaging
customers in various stages of the product development cycle. It allows the
marketers to collaborate with consumers on various aspects such as product
development, service enhancement, and promotion. Collaboration with the
business partners and consumers can be improved by the companies by utilizing
the tools provided by Web 2.0 paradigm. Consumer-oriented companies use
networks such as Twitter and Facebook as common elements of multichannel
promotion of their products.
Education: Web 2.0 technologies can help the education scenario by providing
students and faculty with more opportunities to interact and collaborate with their
peers. By utilizing the tools of Web 2.0, the students get the opportunity to share
what they learn with other peers by collaborating with them.
8.7.7 Benefits and Challenges for Social Networks using Web 2.0
Web 2.0 has provided a number of benefits to social networks. It provides a platform where
users of the network need not to worry about the implementation or underlying technology at a
very affordable cost and a very easy pickup time. Concepts of Web 2.0 like blogging are some
things that people do on a day-to-day basis and no new knowledge skills are required. Web
2.0 techniques are very people centric activities and thus, adaptation is very fast. People are
coming much closer to another and all social and geographical boundaries are being reduced
at lightning speed, which is one of the biggest sustenance factors for any social network.
Using Web 2.0 also increases the social collaboration to a very high degree and this in turn
helps in achieving the goals for a social network.
There are a number of challenges that are faced within the implementation of social networks
using Web 2.0 concepts. One of the major aspects is data security and privacy and in such
public domains, there is a huge chance of data leak and confidentiality loss because there are
usually no centrally mandated administrative services to take care of such aspects. Privacy of
individual users also arises and can create a huge problem if malicious users somehow
manage to perpetuate the social networks. This is more important for public utility networks
like doctors and police. A majority of the social networks are offline, and for bringing these
under the purview of online social networks, a lot of education and advertising needs to be
done, which itself becomes a cost burden, when the people involved are not computer literate.
This becomes more viable in the areas of the world that are developing and do not have the
basic amenities. The fact is that these areas are the ones that can benefit the most using
social networks in an online mode and a huge amount of effort would be needed to help them
using the technologies.
Web 2.0 has introduced a number of powerful features that social networks are utilizing.
These have provided significant advances, which can be seen by the worldwide acceptance of
networking sites with these technologies. In spite of all challenges, the worldwide acceptance
of social networks and its implementation using Web 2.0 is here to stay and flourish. It is up to
us to participate in this movement and continue to contribute towards the betterment of the
technology and concept for more contribution to the society as a whole.
8.7.8 Web 3.0
The term Web 3.0, also known as the Semantic Web, describes sites wherein the
computers will be generated raw data on their own without direct user interaction. Web
3.0 is considered as the next logical step in the evolution of the Internet and Web
technologies. For Web 1.0 and Web 2.0; the Internet is confined within the physical
walls of the computer, but as more and more devices such as smartphones, cars and
other household appliances become connected to the web, the Internet will be
omnipresent and could be utilized in the most efficient manner.
Web 2.0 technologies allows the use of read/write web, blogs, interactive web
applications, rich media, tagging or folksonomy while sharing content, and also social
networking sites focusing on communities. At the same time, Web 3.0 standard uses
semantic web technology, drag and drop mash-ups, widgets, user behavior, user
engagement, and consolidation of dynamic web contents depending on the interest of
the individual users. Web 3.0 technology uses the Data Web Technology, which
features the data records that are publishable and reusable on the web through query-
able formats. The Web 3.0 standard also incorporates the latest researches in the field
of artificial intelligence.
An example of typical Web 3.0 application is the one that uses content management
systems along with artificial intelligence. These systems are capable of answering the
questions posed by the users, because the application is able to think on its own and
find the most probable answer, depending on the context, to the query submitted by the
user. In this way, Web 3.0 can also be described as a machine to user standard in the
internet.
The two major components of Web 3.0 are as follows:
Semantic Web: This provides the web user a common framework that could be
used to share and reuse the data across various applications, enterprises, and
community boundaries. This allows the data and information to be readily
intercepted by machines, so that the machines are able to take contextual
decisions on their own by finding, combining and acting upon relevant information
on the web.
Web Services: It is a software system that supports computer-to-computer
interaction over the Internet. For example - the popular photo-sharing website
Flickr provides a web service that could be utilized and the developers to
programmatically interface with Flickr in order to search for images.
To conclude, Web 3.0 helps to achieve a more connected open and intelligent web
applications using the concepts of natural language processing machine learning,
machine reasoning and autonomous agents.
8.8 Summary
In this chapter, we have learned about the latest and emerging technologies. Cloud computing
is a type of computing that relies on sharing computing resources rather than having local
servers or personal devices to handle applications. In cloud computing, the word cloud (also
phrased as "the cloud") is used as a metaphor for the Internet so the phrase cloud computing
means "a type of Internet-based computing," where different services -- such as servers,
storage and applications -- are delivered to an organization's computers and devices through
the Internet.
Cloud computing has started to obtain mass appeal in corporate data centers as it enables the
data centre to operate like the Internet through the process of enabling computing resources
to be accessed and shared as virtual resources in a secure and scalable manner. For a small
and medium sized business (SMB), the benefits of cloud computing is currently driving
adaption. In the SMB sector, there is often a lack of time and financial resources to purchase,
deploy and maintain an infrastructure such as the software, server and storages. In cloud
computing, small businesses can access these resources and expand or shrink services as
business needs change. The common pay-as-you-go subscription model is designed to let
SMBs easily add or remove services and you typically will only pay for what you do use.
Mobile computing is an emerging field of teaching and research. The goal of mobile computing
is to work towards true computing freedom (free from the tyranny of location), whereby users
can connect to the network from anywhere, anytime and operate as if they were sitting in the
"home" office.
Green computing, green IT or ICT sustainability, refers to environmentally sustainable
computing. It is largely taken as the study and practice of designing, manufacturing, using,
and disposing of computers, servers, and associated subsystems peripheral devices efficiently
and effectively with highly mitigated negative impact on the environment. The goals of green
computing are similar to green chemistry; reduce the use of hazardous materials, maximize
energy efficiency during the product's lifetime, and promote the recyclability or biodegradability
of defunct products and factory waste. Many corporate IT departments have Green Computing
initiatives to reduce the environmental impacts of their IT operations and things are evolving
slowly but not as a revolutionary phenomenon.